Embodiments of the invention generally relate to authenticating and authorizing web service requests. In some embodiments, an enforcement point intercepts web service requests and authenticates and authorizes them based on the content of the request.
Apache CXF is an open source services framework. CXF is utilized by developers to build and develop services using front-end programming application protocol interfaces (APIs), such as JAX-WS and JAX-RS. JAX-WS is used for XML-based services only, particularly SOAP, while JAX-RS is used for RESTFul services and can support any data encoding. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP or JMS.
Conventional approaches for providing access control for web services involve creating a security context that a web service must process to determine if the client is authorized to perform the action before executing any business logic. However, any change in authorization policy requires making changes to the code containing the application business logic. In order to make this task less onerous, some frameworks permit the annotation of sections of the code. Although this is somewhat easier than modifying the code itself, it still involves modification of the package that contains the web service business logic and requires re-compilation and restart of the runtime.
For authentication, some frameworks provide callback methods that the developer must implement for performing the required authentication requests. Even though the code for these callbacks is typically separated from the business logic, the callback code is still often found in the same package, which means that if there is a change in authentication policy then re-compilation and restart of the runtime is necessary.
The present inventor recognized opportunities for providing methods and systems for configuring authentication and authorization logic for web service calls which do not require modification of any of the business logic and do not require re-compilation and restart of the runtime.